π¦ ClawHub
Ssh Essentials
by @arnarsson
Essential SSH commands for secure remote access, key management, tunneling, and file transfers.
TERMINAL
clawhub install ssh-essentialsπ About This Skill
name: ssh-essentials description: Essential SSH commands for secure remote access, key management, tunneling, and file transfers. homepage: https://www.openssh.com/ metadata: {"clawdbot":{"emoji":"π","requires":{"bins":["ssh"]}}}
SSH Essentials
Secure Shell (SSH) for remote access and secure file transfers.
Basic Connection
Connecting
# Connect with username
ssh user@hostnameConnect to specific port
ssh user@hostname -p 2222Connect with verbose output
ssh -v user@hostnameConnect with specific key
ssh -i ~/.ssh/id_rsa user@hostnameConnect and run command
ssh user@hostname 'ls -la'
ssh user@hostname 'uptime && df -h'
Interactive use
# Connect with forwarding agent
ssh -A user@hostnameConnect with X11 forwarding (GUI apps)
ssh -X user@hostname
ssh -Y user@hostname # Trusted X11Escape sequences (during session)
~. - Disconnect
~^Z - Suspend SSH
~# - List forwarded connections
~? - Help
SSH Keys
Generating keys
# Generate RSA key
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"Generate ED25519 key (recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"Generate with custom filename
ssh-keygen -t ed25519 -f ~/.ssh/id_myserverGenerate without passphrase (automation)
ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_deploy
Managing keys
# Copy public key to server
ssh-copy-id user@hostnameCopy specific key
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostnameManual key copy
cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> ~/.ssh/authorized_keys'Check key fingerprint
ssh-keygen -lf ~/.ssh/id_rsa.pubChange key passphrase
ssh-keygen -p -f ~/.ssh/id_rsa
SSH agent
# Start ssh-agent
eval $(ssh-agent)Add key to agent
ssh-add ~/.ssh/id_rsaList keys in agent
ssh-add -lRemove key from agent
ssh-add -d ~/.ssh/id_rsaRemove all keys
ssh-add -DSet key lifetime (seconds)
ssh-add -t 3600 ~/.ssh/id_rsa
Port Forwarding & Tunneling
Local port forwarding
# Forward local port to remote
ssh -L 8080:localhost:80 user@hostname
Access via: http://localhost:8080
Forward to different remote host
ssh -L 8080:database.example.com:5432 user@jumphost
Access database through jumphost
Multiple forwards
ssh -L 8080:localhost:80 -L 3306:localhost:3306 user@hostname
Remote port forwarding
# Forward remote port to local
ssh -R 8080:localhost:3000 user@hostname
Remote server can access localhost:3000 via its port 8080
Make service accessible from remote
ssh -R 9000:localhost:9000 user@publicserver
Dynamic port forwarding (SOCKS proxy)
# Create SOCKS proxy
ssh -D 1080 user@hostnameUse with browser or apps
Configure SOCKS5 proxy: localhost:1080
With Firefox
firefox --profile $(mktemp -d) \
--preferences "network.proxy.type=1;network.proxy.socks=localhost;network.proxy.socks_port=1080"
Background tunnels
# Run in background
ssh -f -N -L 8080:localhost:80 user@hostname-f: Background
-N: No command execution
-L: Local forward
Keep alive
ssh -o ServerAliveInterval=60 -L 8080:localhost:80 user@hostname
Configuration
SSH config file (~/.ssh/config)
# Simple host alias
Host myserver
HostName 192.168.1.100
User admin
Port 2222With key and options
Host production
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/id_prod
ForwardAgent yes
Jump host (bastion)
Host internal
HostName 10.0.0.5
User admin
ProxyJump bastionHost bastion
HostName bastion.example.com
User admin
Wildcard configuration
Host *.example.com
User admin
ForwardAgent yes
Keep connections alive
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
Using config
# Connect using alias
ssh myserverJump through bastion automatically
ssh internalOverride config options
ssh -o "StrictHostKeyChecking=no" myserver
File Transfers
SCP (Secure Copy)
# Copy file to remote
scp file.txt user@hostname:/path/to/destination/Copy file from remote
scp user@hostname:/path/to/file.txt ./local/Copy directory recursively
scp -r /local/dir user@hostname:/remote/dir/Copy with specific port
scp -P 2222 file.txt user@hostname:/path/Copy with compression
scp -C large-file.zip user@hostname:/path/Preserve attributes (timestamps, permissions)
scp -p file.txt user@hostname:/path/
SFTP (Secure FTP)
# Connect to SFTP server
sftp user@hostnameCommon SFTP commands:
pwd - Remote working directory
lpwd - Local working directory
ls - List remote files
lls - List local files
cd - Change remote directory
lcd - Change local directory
get file - Download file
put file - Upload file
mget *.txt - Download multiple files
mput *.jpg - Upload multiple files
mkdir dir - Create remote directory
rmdir dir - Remove remote directory
rm file - Delete remote file
exit/bye - Quit
Batch mode
sftp -b commands.txt user@hostname
Rsync over SSH
# Sync directory
rsync -avz /local/dir/ user@hostname:/remote/dir/Sync with progress
rsync -avz --progress /local/dir/ user@hostname:/remote/dir/Sync with delete (mirror)
rsync -avz --delete /local/dir/ user@hostname:/remote/dir/Exclude patterns
rsync -avz --exclude '*.log' --exclude 'node_modules/' \
/local/dir/ user@hostname:/remote/dir/Custom SSH port
rsync -avz -e "ssh -p 2222" /local/dir/ user@hostname:/remote/dir/Dry run
rsync -avz --dry-run /local/dir/ user@hostname:/remote/dir/
Security Best Practices
Hardening SSH
# Disable password authentication (edit /etc/ssh/sshd_config)
PasswordAuthentication no
PubkeyAuthentication yesDisable root login
PermitRootLogin noChange default port
Port 2222Use protocol 2 only
Protocol 2Limit users
AllowUsers user1 user2Restart SSH service
sudo systemctl restart sshd
Connection security
# Check host key
ssh-keygen -F hostnameRemove old host key
ssh-keygen -R hostnameStrict host key checking
ssh -o StrictHostKeyChecking=yes user@hostnameUse specific cipher
ssh -c aes256-ctr user@hostname
Troubleshooting
Debugging
# Verbose output
ssh -v user@hostname
ssh -vv user@hostname # More verbose
ssh -vvv user@hostname # Maximum verbosityTest connection
ssh -T user@hostnameCheck permissions
ls -la ~/.ssh/
Should be: 700 for ~/.ssh, 600 for keys, 644 for .pub files
Common issues
# Fix permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keysClear known_hosts entry
ssh-keygen -R hostnameDisable host key checking (not recommended)
ssh -o StrictHostKeyChecking=no user@hostname
Advanced Operations
Jump hosts (ProxyJump)
# Connect through bastion
ssh -J bastion.example.com user@internal.localMultiple jumps
ssh -J bastion1,bastion2 user@final-destinationUsing config (see Configuration section above)
ssh internal # Automatically uses ProxyJump
Multiplexing
# Master connection
ssh -M -S ~/.ssh/control-%r@%h:%p user@hostnameReuse connection
ssh -S ~/.ssh/control-user@hostname:22 user@hostnameIn config:
ControlMaster auto
ControlPath ~/.ssh/control-%r@%h:%p
ControlPersist 10m
Execute commands
# Single command
ssh user@hostname 'uptime'Multiple commands
ssh user@hostname 'cd /var/log && tail -n 20 syslog'Pipe commands
cat local-script.sh | ssh user@hostname 'bash -s'With sudo
ssh -t user@hostname 'sudo command'
Tips
~/.ssh/config for frequently accessed hosts/var/log/auth.log for suspicious activityDocumentation
Official docs: https://www.openssh.com/manual.html
Man pages: man ssh, man ssh_config, man sshd_config
βοΈ Configuration
SSH config file (~/.ssh/config)
# Simple host alias
Host myserver
HostName 192.168.1.100
User admin
Port 2222With key and options
Host production
HostName prod.example.com
User deploy
IdentityFile ~/.ssh/id_prod
ForwardAgent yes
Jump host (bastion)
Host internal
HostName 10.0.0.5
User admin
ProxyJump bastionHost bastion
HostName bastion.example.com
User admin
Wildcard configuration
Host *.example.com
User admin
ForwardAgent yes
Keep connections alive
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
Using config
# Connect using alias
ssh myserverJump through bastion automatically
ssh internalOverride config options
ssh -o "StrictHostKeyChecking=no" myserver
π Tips & Best Practices
~/.ssh/config for frequently accessed hosts/var/log/auth.log for suspicious activity